August 17, 2023 By Jonathan Reed 4 min read

It’s no surprise that cyber criminals target high-profile individuals or those with access privilege. Malicious actors often use social engineering and whale phishing attacks against these people to breach systems. But households and family members of company executives may also be the target of cyberattacks. In some cases, such as sextortion attempts, criminals demand monetary payment.

There’s also a new trend where family members are being targeted, but the actors aren’t asking for money. Instead, attackers seek network access, passwords and requests to download files — all in an attempt to reach bigger targets and carry out wider attacks.

In short, modern company security should also include household security.

No perimeter to secure

If anything, the pandemic eliminated any notion of perimeter-based security. How many companies these days have employees connecting from a distance? How many businesses have hundreds, if not thousands, of devices connecting to their network? While the security risks are clear, 24/7 availability from any place on any device enables brands to stay competitive. And this means security must extend to all endpoints, human and machine, to secure a company’s network.

While we obsess over online security, threat actors might not stay limited to digital-only tactics. For example, cyber pro Reuven Aronashvili reported a case that involved the teenage son of an executive. The actors threatened to reveal that the teen was gay — something he had not shared with his family at the time — unless he installed some files on his home Wi-Fi network. Once the files were installed, the attacker could then target his mother, the executive.

The FBI has also released a warning about the rise of “sextortion” attacks. As per the FBI, “Sextortion occurs when someone threatens to distribute your private and sensitive material if their demands are not met.”

Sextortion and social engineering

Sextortion may be considered a type of social engineering attack. Most victims report that the aggressor makes initial contact through dating websites or apps. After gaining confidence, the fraudster lures the target to continue the conversation on a private messaging platform.

The actor then encourages the victim to exchange sexually explicit material. They might invite them to video chats or ask for explicit photos. Once the victim complies, the criminal begins to demand money to prevent the release of the photos or videos on social media. The attacker may also gain access to the victim’s social media or contact information and threaten to send the images to the victim’s family and friends.

As per Aronashvili, a new type of sextortion attack — to demand file download or network access — is growing rapidly. He said these attacks were unheard of as recently as 2021 when most sextortion attempts demanded a straightforward payout.

“Now, by asking for access and file downloads, attackers are seeking to use sextortion as the first step in reaching potentially larger targets, with potentially larger profits,” he said. Attackers may initially target family members to eventually attack the company, its suppliers or its customers, according to Aronashvili.

Family cyber awareness is company cyber awareness

The reality is that nefarious actors frequently target young people. For example, recent reports suggest that online grooming crimes are rising. This alone makes it essential to teach family and household members about cyber risks. Now, criminals are also grooming family members hoping to gain access to company networks. So when security teams think about cyber awareness, they should be talking to teams about security at home as well.

These intrusions get too close for comfort in some cases. For example, Mandiant Consulting CTO Charles Carmakal shared a story about a client who was being extorted. Carmakal said the client received flowers from the threat actor with a very polite but intimidating message.

“It’s a very different story if you’re an executive of the company, and your daughter is being harassed by a threat actor. Your desire to pay or your willingness to pay shoots up tenfold when you’re dealing with personal attacks,” Carmakal said.

Beware of gamer fraud

Cyberattacks against gamers have seen rapid growth recently. And Kaspersky Lab reported that cyberattacks on young gamers shot up 57 percent in 2022. As per the report, cyber criminals launched more than 7 million attacks on children, exploiting popular game titles in 2022.

Phishing pages target young players by mimicking global titles, such as Roblox, Minecraft, Fortnite and Apex Legends games. The report points out that to reach parents’ devices, cyber criminals lure children to fake game sites and phishing pages to download malicious files.

It was also reported that a common social engineering method involves offers to download popular cheats and mods for games. On some phishing sites, kids can access a manual on how to properly install a cheat. The manual may even include specific instructions about how to disable the antivirus before installing a file. Some young players may fall for this, so any malware they download can avoid detection on the infected device. And the longer the user keeps their antivirus, the more information the malware can collect from the victim’s computer.

The report also noted that children’s games attacked even included games for the youngest players, such as Poppy Playtime and Toca Life World. These games are designed for 3 to 8-year-old players.

Bring cyber awareness home

Internet access makes every person in a household a potential victim. Crimes like kidnapping or sexual abuse can occur due to social engineering grooming. Plus, company breaches can occur due to sloppy cyber hygiene at home.

The Kaspersky report offers the following advice (adapted for this article):

  • Show interest in your kids’ online activity. Sit down with them to watch their favorite series or listen to music tracks together.
  • Consider using parental control apps, especially for the younger people at home. Don’t forget to explain how the apps work and why they’re important for safety.
  • Teach kids that sensitive information should only be shared via messengers and only with people they know in real life. Be a role model and exhibit examples of good online behavior.
  • Spend time talking to your kids about online safety measures. Encourage them to ask before downloading anything. Pay attention to your own habits.
  • Make talks about cybersecurity more enjoyable and interesting by discussing them with your child through games and more engaging formats.

Cyber risk is more pervasive than ever — at work and at home. Educate yourself, your teams and your family. And stay secure.

More from Risk Management

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today